[Freeipa-users] Re: AddTrust CA expiration
Also, sorry for the followup, but I forgot to mention. All services and communication seem to be working with the exception of the following: 1. The joining new servers to IPA as the downloads the bundle for path A still and puts in in /etc/ipa/ca.crt which will then fail on the API calls to IPA. 2. Executing an ipa-certupdate on any hosts fails. For the ipa-certupdate to even work, I have to manually clean up the ca.crt with only the path C CA certificates. Then it'll start to work and hit the api, but when it rewrites the /etc/ipa/ca.crt file and fail on the last steps. I'm guessing the join and update are both getting the CA certs from API which is reaching into the LDAP db itself. If I can get those old CAs removed and new ones added, I'm hoping all will be fixed. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] AddTrust CA expiration
On May 30, 2020, the AddTrust CA expired as a CA. I'll get to the IPA issue after a bit of background in case everyone is not familiar. The external certs we're using are from InCommon and were cross signed by AddTrust and when we originally got the certs, the trust A path was below: AddTrust Ext CA -> UserTrust CA (intermediate) -> InCommon CA (Intermediate) -> server_cert The B path which should have worked was: UserTrust CA (Root) -> InCommon CA (Intermediate) -> server_cert How OpenSSL is supposed to work is after path A expires, its supposed to use path B. Unfortunately for OpenSSL and OpenLDAP in CENTOS/RHEL 7 and older there is a bug and that does not happen and will not attempt path B. See bugzilla for more information: https://bugzilla.redhat.com/show_bug.cgi?id=1840767 The only way I could get them to walk to path B was to remove the AddTrust CA from all openssl certificate stores. Also, blacklisting doesn't work either as it just made the certs as self-signed. Fortunately there is a path C that we can deploy and force that trust path: Comodo AAA Certificate (Root) -> UserTrust CA (Intermediate) -> InCommon CA (Intermediate) -> server_cert This is also the cert bundle now provided by InCommon. The main issue here is when openssl "builds" the extracted certificates, it adds in the CA's from both /etc/ipa/ca.crt and from katello-ca.crt. We've been able to update the katello and push out that as an RPM, we're having issues with the ca distributed by IDM. == actual issue with IPA === Post May 30, we could no longer log into IPA. We'd attempted to follow the process for "updating" the certificate. That didn't work. We did an install as we did end up adding a new signed server certificate. That didn't update the Root or the Intermediate CAs. So I went in with a hammer and manually removed the offending AddTrust cert chain A from the following NSSDB files: /etc/httpd/alias /etc/pki/pki-tomcat/alias /etc/dirsrv/slapd-LIDS-VIRGINIA-EDU /etc/ipa/nssdb I also manually cleaned up the /etc/ipa/ca.crt and /etc/pki/ca-trust/source/ipa.p11-kit cert stores. With the above, I was able to get IPA to restart and we could then log into the console and do all we needed to do. The issue now is that the command "ipa-certupdate" still pulls the old AddTrust cert path and I'm pretty sure its because its stored in 389ds. ldapsearch -x -b dc=dom,dc=example,dc=com "(objectClass=ipaCertificate)" | grep Subject ipaCertSubject: CN=Certificate Authority,O=DOM.EXAMPLE.COM ipaCertSubject: CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arbor, ipaCertSubject: CN=USERTrust RSA Certification Authority,O=The USERTRUST Netwo ipaCertSubject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network, How do I update LDAP without things blowing up (oh we're 3 node clustered as well)? Or better yet, is was there a better way to replace certs? Our main com.example.com CA is just fine. All the articles/info I could find was replacing that and not the external CA's. CENTOS/RHEL8 does not have this problem btw. It's fixed in openssl 1.1.1. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: IPA -> AD trust : can't ssh with an AD user
Florence, I didn't change anything and it now works :\ Anyway I'll follow your recommandation and use external groups and so on. Merci ! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Add Windows host in Freeipa
On to, 04 kesä 2020, dmitriys via FreeIPA-users wrote: Good day! I tried add windows host in Freeipa and get 04:05:59.302019 IP (tos 0x0, ttl 123, id 27536, offset 0, flags [none], proto UDP (17), length 205) cyberark-psm.exemple.com.54676 > ldap.exemple.com.kerberos: [udp sum ok] v5 04:05:59.303073 IP (tos 0x0, ttl 64, id 24242, offset 0, flags [DF], proto UDP (17), length 187) ldap.exemple.com.kerberos > cyberark-psm.exemple.com.54676: [bad udp cksum 0x9a1a -> 0x88b5!] Can you help me with this issue ? No. It is *not* supported configuration to enroll Windows hosts in FreeIPA. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Add Windows host in Freeipa
On 6/4/20 10:07 AM, dmitriys via FreeIPA-users wrote: Good day! I tried add windows host in Freeipa and get Hi, can you provide a little more context? What do you mean by "add windows host in Freeipa", which command are you running and what is the output? It's difficult to understand from a tcpdump... flo 04:05:59.302019 IP (tos 0x0, ttl 123, id 27536, offset 0, flags [none], proto UDP (17), length 205) cyberark-psm.exemple.com.54676 > ldap.exemple.com.kerberos: [udp sum ok] v5 04:05:59.303073 IP (tos 0x0, ttl 64, id 24242, offset 0, flags [DF], proto UDP (17), length 187) ldap.exemple.com.kerberos > cyberark-psm.exemple.com.54676: [bad udp cksum 0x9a1a -> 0x88b5!] Can you help me with this issue ? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: IPA -> AD trust : can't ssh with an AD user
Hi, in order to use AD users or groups in HBAC/sudo rules, you need to first create an external group (ipa group-add --external extgrp) that will contain your AD users/groups, then create a posix group (ipa group-add grp) and add the external group as member of the posix group (ipa group-add-member grp --groups extgrp). The HBAC and sudo rules need to use the posix group, not the external group. This is explained in "Creating IdM Groups for Active Directory Users" [1] in the book "Windows Integration Guide". Hope this clarifies, flo [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/windows_integration_guide/index#trust-groups On 6/4/20 12:33 PM, Christophe BERGER via FreeIPA-users wrote: Good morning all, I created a lab with freeIPA and AD with a trust. - AD domain : test.lu - IPA domain : test2.lu I have installed a Oracle Linux 8.2 VM as the client. I created a freeIPA user group : tgo_admins There are 2 members : - ipalocaluser (local IPA account) - aduser (AD account) sudo ipa group-show tgo_admins Group name: tgo_admins External member: adu...@test.lu Member users: ipalocaluser Member of groups: admins Member of Sudo rule: tgo_admins Member of HBAC rule: tgo_admins The HBAC rule allows tgo_admins to login in any machine. The sudo rule allows tgo_admins to sudo in any machine. - With an account created in freeIPA I can ssh to the vm : ssh ipalocaluser@10.168.78.122 Last login: Thu Jun 4 14:23:43 2020 from 10.168.78.1 [ipalocaluser@ipa-test ~]$ klist Ticket cache: KCM:70385:58408 Default principal: ipalocalu...@test2.lu Valid starting Expires Service principal 06/04/2020 14:24:01 06/05/2020 14:24:01 krbtgt/test2...@test2.lu - With the ad account, it fails to login ssh adu...@test.lu@10.168.78.122 adu...@test.lu@10.168.78.122's password: adu...@test.lu@10.168.78.122's password: The password is correct, I double checked. From the workstation itself, the authentication looks fine : sudo kinit adu...@test.lu Password for adu...@test.lu: [cbr@ipa-test ~]$ sudo klist Ticket cache: KCM:0:28293 Default principal: adu...@test.lu Valid starting Expires Service principal 06/04/2020 12:31:53 06/04/2020 22:31:53 krbtgt/test...@test.lu renew until 06/05/2020 12:31:50 I can also sudo su - adu...@test.lu Creating home directory for adu...@test.lu. Last failed login: Thu Jun 4 14:30:52 CEST 2020 from 10.168.78.1 on ssh:notty There were 2 failed login attempts since the last successful login. Any idea ? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] IPA -> AD trust : can't ssh with an AD user
Good morning all, I created a lab with freeIPA and AD with a trust. - AD domain : test.lu - IPA domain : test2.lu I have installed a Oracle Linux 8.2 VM as the client. I created a freeIPA user group : tgo_admins There are 2 members : - ipalocaluser (local IPA account) - aduser (AD account) sudo ipa group-show tgo_admins Group name: tgo_admins External member: adu...@test.lu Member users: ipalocaluser Member of groups: admins Member of Sudo rule: tgo_admins Member of HBAC rule: tgo_admins The HBAC rule allows tgo_admins to login in any machine. The sudo rule allows tgo_admins to sudo in any machine. - With an account created in freeIPA I can ssh to the vm : ssh ipalocaluser@10.168.78.122 Last login: Thu Jun 4 14:23:43 2020 from 10.168.78.1 [ipalocaluser@ipa-test ~]$ klist Ticket cache: KCM:70385:58408 Default principal: ipalocalu...@test2.lu Valid starting Expires Service principal 06/04/2020 14:24:01 06/05/2020 14:24:01 krbtgt/test2...@test2.lu - With the ad account, it fails to login ssh adu...@test.lu@10.168.78.122 adu...@test.lu@10.168.78.122's password: adu...@test.lu@10.168.78.122's password: The password is correct, I double checked. From the workstation itself, the authentication looks fine : sudo kinit adu...@test.lu Password for adu...@test.lu: [cbr@ipa-test ~]$ sudo klist Ticket cache: KCM:0:28293 Default principal: adu...@test.lu Valid starting Expires Service principal 06/04/2020 12:31:53 06/04/2020 22:31:53 krbtgt/test...@test.lu renew until 06/05/2020 12:31:50 I can also sudo su - adu...@test.lu Creating home directory for adu...@test.lu. Last failed login: Thu Jun 4 14:30:52 CEST 2020 from 10.168.78.1 on ssh:notty There were 2 failed login attempts since the last successful login. Any idea ? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Add Windows host in Freeipa
Good day! I tried add windows host in Freeipa and get 04:05:59.302019 IP (tos 0x0, ttl 123, id 27536, offset 0, flags [none], proto UDP (17), length 205) cyberark-psm.exemple.com.54676 > ldap.exemple.com.kerberos: [udp sum ok] v5 04:05:59.303073 IP (tos 0x0, ttl 64, id 24242, offset 0, flags [DF], proto UDP (17), length 187) ldap.exemple.com.kerberos > cyberark-psm.exemple.com.54676: [bad udp cksum 0x9a1a -> 0x88b5!] Can you help me with this issue ? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org